Configure periodic re-authentication to maintain security compliance for Dynamic
Privilege Access-enabled Prisma Access Agent deployments.
| Where Can I Use This? | What Do I Need? |
|---|
The Dynamic Privilege Access-enabled Prisma Access Agent continuously validates user
trust through background authentication processes that do not interrupt user
activity. Customizable authentication timers extend this capability by giving you
control over when users must explicitly re-authenticate by providing their
credentials. This allows you to align authentication intervals with your
organizational security policies and compliance requirements.
Re-authentication Frequency
You can define the frequency that determines how often users must provide their
credentials. This frequency applies globally across your deployment and directly
controls the user refresh token lifetime. You set this interval between 10 hours and
30 days, with a default of 7 days.
Notification Settings
To prevent workflow disruption, you configure notification timers that alert users
before their authentication expires. You specify how many minutes in advance users
receive warnings, with a range of 5 to 120 minutes and a default of 60 minutes. You
can also customize the notification message that displays to users. If you leave the
re-authentication notification message empty, the agent displays a default
message.
Gateway Session Timeout
The gateway session timeout operates separately from re-authentication frequency and
controls how long an established connection to the gateway remains valid. You
configure this timeout at the Agent Settings level, with values ranging from 2 hours
to 30 days and a default of 10 days. This setting was previously named
Session Timeout and has been renamed to
Gateway Session Timeout for clarity. The notification
settings that were previously configurable at the agent level now map from the
Global Agent Settings.
Aggressive Authentication
For deployments requiring stricter security enforcement, you enable aggressive
authentication. This setting is available for Dynamic Privilege Access tenants and
defaults to false. When you enable aggressive authentication, the system forces
users to re-authenticate immediately during manual gateway reconnection, gateway
session extension, machine reboot, and user refresh token expiry. When aggressive
authentication is disabled, re-authentication is required only when the user refresh
token expires, and gateway session extension is seamless without requiring user
input.
Gateway Session Extension Behavior
When the Gateway Session Timeout is reached, the agent's
behavior for extending the tunnel depends on the Aggressive
Authentication configuration:
User Experience
When users reach the re-authentication threshold, their
experience varies based on your configuration and their current connection state.
Connected users receive notifications at the configured time before
re-authentication. When users click on the notification, the agent initiates the
login workflow while the existing tunnel remains up and backend jobs continue
uninterrupted. If users do not complete re-authentication before the deadline, the
user interface signs out from Endpoint Manager and users must re-authenticate to
restore access.
With aggressive authentication enabled, users must complete re-authentication while
the session timer counts down. If users complete re-authentication successfully, the
agent performs the session extension and the tunnel stays up. If users do not
complete re-authentication in time, the tunnel goes down and users must click
connect and re-authenticate to restore the tunnel.
For authentication methods using client certificates, re-authentication notification
does not apply. The agent automatically authenticates and refreshes tokens without
explicit user prompts.
Complete the following steps to maintain security compliance for your Prisma Access
Agent deployment.
